b'                                               August 16, 2013\n\n\nTo:              Steve A. Linick, Inspector General\n\n\n\n\nFrom:            Richard Parker, Director, Office of Policy, Oversight, and Review (OPOR)\n\n\nSubject:         Fannie Mae\xe2\x80\x99s Compliance with FHFA Email Retention Requirements\n                 (Evaluation Report No. EVL-2013-011)\n\n__________________________________________\n\nSummary\n\nIn November 2011, while conducting an investigation, OIG special agents learned that although\nFannie Mae permanently retained the email of most employees in sensitive positions, it\nautomatically deleted the unsaved email of other employees after 60 days.a Consequently, email\nrecords that the special agents expected to be maintained were determined to be unavailable. An\nOIG representative advised Fannie Mae\xe2\x80\x99s counsel and senior managers that the Enterprise\xe2\x80\x99s\nemail deletion practices could have a negative impact upon OIG\xe2\x80\x99s ability to perform its mission,\nespecially its ability to conduct thorough investigations. Fannie Mae, however, did not alter its\nautomatic deletion practices.\n\nIn August 2012, the Principal Deputy Inspector General brought OIG\xe2\x80\x99s concerns in this regard to\nthe attention of FHFA\xe2\x80\x99s Acting Director. Thereafter, on October 22, 2012, the Deputy Director\nfor Enterprise Regulation directed Fannie Mae to:\n\n      \xef\x82\xb7   Immediately begin saving all employee email records;\n      \xef\x82\xb7   Establish a corporate 5-year email retention policy;\n      \xef\x82\xb7   Develop a project plan to ensure that Fannie Mae\xe2\x80\x99s systems and technology support the\n          revised email retention policy; and\n\na\n Fannie Mae IT staff estimated that the \xe2\x80\x9cother employees\xe2\x80\x9d portion of Fannie Mae\xe2\x80\x99s staff consists of 13,000 users\nwho have mailboxes on the Enterprise\xe2\x80\x99s email system. Approximately 6,000 of the users are Fannie Mae\nemployees. The rest of the mailboxes are assigned to contractors or specific business areas.\n\x0c    \xef\x82\xb7   Develop an internal audit plan under which to review this area during the 2013 audit\n        cycle.\nIn response to FHFA\xe2\x80\x99s directive, Fannie Mae began retaining all of its employee and contractor\nemail, including deleted messages, for a period of five years.b Further, it took steps to ensure\nthat its information technology systems could support the new email retention requirement.\nFannie Mae Internal Audit staff performed compliance testing of Fannie Mae\xe2\x80\x99s implementation\nof the FHFA directive during a scheduled information technology audit.c The internal auditors\nconcluded that Fannie Mae was in full compliance with FHFA\xe2\x80\x99s directive.\n\nIn order to independently verify Fannie Mae\xe2\x80\x99s compliance with the directive, members of the\nOPOR staff reviewed the internal auditors\xe2\x80\x99 work papers and the records of the compliance\ntesting they performed. OPOR staff members also interviewed Fannie Mae IT personnel and\nobtained additional evidence regarding back-up tape retention. At the close of its review, the\nOPOR team concurred with the Fannie Mae internal auditors\xe2\x80\x99 conclusion that the Enterprise now\ncaptures and stores all email activity, including deleted emails, as required by FHFA\xe2\x80\x99s directive.d\n\nConclusion\n\nOIG\xe2\x80\x99s involvement in this situation, coupled with FHFA\xe2\x80\x99s directive, has caused Fannie Mae to\nput into place a basic email retention system, thereby enabling OIG and others to conduct more\ncomprehensive investigations into matters that involve email sent and received by Fannie Mae\nemployees. This development represents a marked improvement over the situation that existed\nduring the time that Fannie Mae destroyed most employee emails after 60 days. OIG will\ncontinue to monitor FHFA\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s and Freddie Mac\xe2\x80\x99s email retention\npractices and records management policies to ensure that they fulfill their intended purposes.\n\n\n\n\nb\n Fannie Mae has retained back-up tapes of employee email from August 6, 2012, forward; however, the tapes do\nnot capture deleted messages. The expanded technology solution implemented in January 2013, as a result of\nFHFA\xe2\x80\x99s directive, captures all email, including deleted messages.\nc\n  Fannie Mae\xe2\x80\x99s internal auditors reviewed and tested the technical capabilities of Windows Exchange servers that\nsupport the five-year email retention requirement. They also recommended that Fannie Mae management enhance\nthe Backup and Recovery Service Level Requirements and Procedures. Finally, the auditors said that during the\n2013 Data Center Operations Audit they would continue to review back-up and recovery procedures for the overall\ntechnology infrastructure, including retention of email.\nd\n  OIG determined that Fannie Mae has expanded its existing retention processes to include all user accounts and set\nthe retention period to five years.\n\n\n\n\n                                                         2\n\x0c'